Struggling movie ticket subscription service MoviePass stored thousands of customer card numbers and personal credit cards in a database that was not protected with a password, reports TechCrunch.
The exposed database, which contained 161 million records, was discovered by Mossab Hussain, a Dubai-based security researcher. Many of the records in the database were computer-generated logging messages, but some also featured sensitive user information like MoviePass customer card numbers.
MoviePass customer cards work like debit cards and are issued by Mastercard, allowing customers who sign up for MoviePass to use them to pay for the full cost of movie tickets.
In a sample of 1,000 records, TechCrunch found that a little over half contained unique MoviePass debit card numbers, expiration dates, and card balance. More than 58,000 records containing card data were found.
The unprotected MoviePass database also featured some customers' personal credit card numbers along with expiration dates, names, addresses, and other billing information. TechCrunch says that records contained enough information to allow someone to make fraudulent card purchases, though some records featured card numbers that were masked with the exception of the last four digits.
Email addresses and passwords related to failed login attempts were also found in the database.
The database may have been accessible for months, but MoviePass did not respond to TechCrunch's questions about how long the server was exposed and whether it plans to disclose the incident to customers.
Hussain told TechCrunch that he questions why internal technical teams would be allowed to see critical data in plaintext, "let alone the fact that the dataset was exposed for public access by anyone."
Since its early 2018 launch, MoviePass has failed catastrophically. It ran out of money temporarily in mid-2018 because it was losing up to $40 million per month, and then began cutting back on the quality of service, limiting movie access, raising prices, and even temporarily shutting down.
Earlier this month, there were reports suggesting that MoviePass even went as far as changing the passwords of its most active users in an attempt to save money. Over the course of the last year, MoviePass has allegedly gone from three million subscribers to approximately 225,000.
The exposed database, which contained 161 million records, was discovered by Mossab Hussain, a Dubai-based security researcher. Many of the records in the database were computer-generated logging messages, but some also featured sensitive user information like MoviePass customer card numbers.
MoviePass customer cards work like debit cards and are issued by Mastercard, allowing customers who sign up for MoviePass to use them to pay for the full cost of movie tickets.
In a sample of 1,000 records, TechCrunch found that a little over half contained unique MoviePass debit card numbers, expiration dates, and card balance. More than 58,000 records containing card data were found.
The unprotected MoviePass database also featured some customers' personal credit card numbers along with expiration dates, names, addresses, and other billing information. TechCrunch says that records contained enough information to allow someone to make fraudulent card purchases, though some records featured card numbers that were masked with the exception of the last four digits.
Email addresses and passwords related to failed login attempts were also found in the database.
We found hundreds of records containing the user's email address and presumably incorrectly typed password -- which was logged -- in the database. We verified this by attempting log into the app with an email address and password that didn't exist but only we knew. Our dummy email address and password appeared in the database almost immediately.While Hussain contacted MoviePass CEO Mitch Lowe over the weekend, there was no response. MoviePass left the database online until Tuesday when TechCrunch contacted the company.
The database may have been accessible for months, but MoviePass did not respond to TechCrunch's questions about how long the server was exposed and whether it plans to disclose the incident to customers.
Hussain told TechCrunch that he questions why internal technical teams would be allowed to see critical data in plaintext, "let alone the fact that the dataset was exposed for public access by anyone."
Since its early 2018 launch, MoviePass has failed catastrophically. It ran out of money temporarily in mid-2018 because it was losing up to $40 million per month, and then began cutting back on the quality of service, limiting movie access, raising prices, and even temporarily shutting down.
Earlier this month, there were reports suggesting that MoviePass even went as far as changing the passwords of its most active users in an attempt to save money. Over the course of the last year, MoviePass has allegedly gone from three million subscribers to approximately 225,000.
Tag: MoviePass
23 comments
Apple's new 2019 iPhone lineup uses modems from Intel rather than Qualcomm, PCMag confirmed today thanks to the devices' field test screens.
We already expected Apple to use Intel modems...
A U.S. District Judge in San Jose today certified a class action lawsuit that accuses Apple of using "inferior" refurbished products as replacements for its AppleCare and AppleCare+...
Likely-accurate battery and RAM specifications for the iPhone 11, iPhone 11 Pro, and iPhone 11 Pro Max have surfaced in filings submitted to Chinese regulatory agency TENAA and uncovered by...
Apple provided iPhone 11, 11 Pro, and 11 Pro Max review units to members of the media following its September 10 event, and today, those reviews were published, giving us some insight into the new...
It's always interesting to get a look back at Apple's past, especially when it comes to prototype devices that were never actually released to the public, so we thought we'd share some...
Yesterday, noted Apple analyst Ming-Chi Kuo said that iPhone 11, iPhone 11 Pro, and iPhone 11 Pro Max pre-orders have been better than expected so far, noting that demand for the higher-end iPhone 11...
The iPhone 11 is set to launch this Friday, September 20, and in advance of that release date the first reviews for the smartphone have begun appearing online. Apple has provided review units of the...
iPhone 11 Pro and iPhone 11 Pro Max reviews are in. The consensus is that the devices are quite familiar and relatively iterative updates as a whole, but with significant advancements to cameras and...
